Update axios to `1.6.0` to make it possible to get a security fix

Question

Update axios to `1.6.0` to make it possible to get a security fix

stefreak opened this issue 7 months ago · comments

I get the following error in Dependabot to resolve a security alert for axios:

Axios Cross-Site Request Forgery Vulnerability

Dependabot cannot update axios to a non-vulnerable version
The latest possible version that can be installed is 0.27.2 because of the following conflicting dependencies:

analytics-node@6.2.0 requires axios@^0.27.2
The lockfile might be out of sync?
The earliest fixed version is 1.6.0.

Steffen Neubauer · Answer 1 · Tue Nov 14 2023 00:11:24 GMT+0800 (China Standard Time)

Ah, I just saw that this package is deprecated. Will try switching to https://github.com/segmentio/analytics-next/tree/master/packages/node

wf-ankit · Answer 2 · Wed Jan 10 2024 04:36:04 GMT+0800 (China Standard Time)

@stefreak Thanks for maintaining this package. Any word on when we can expect the update?